---
description: |
  The `powershell` Packer provisioner runs PowerShell scripts on Windows machines.
  Learn how to use the provisioner with WinRM and SSH communicators.
page_title: powershell provisioner reference
---

⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️
> [!IMPORTANT]  
> **Documentation Update:** Product documentation previously located in `/website` has moved to the [`hashicorp/web-unified-docs`](https://github.com/hashicorp/web-unified-docs) repository, where all product documentation is now centralized. Please make contributions directly to `web-unified-docs`, since changes to `/website` in this repository will not appear on developer.hashicorp.com.
⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️⚠️

<BadgesHeader>
  <PluginBadge type="official" />
</BadgesHeader>

# `powershell` provisioner

The `powershell` Packer provisioner runs PowerShell scripts on Windows machines.
The provisioner is designed for machines using WinRM as the communicator, but you can also use the provisioner with the SSH communicator. Refer to the [Combining the PowerShell Provisioner with the SSH Communicator](#combining-the-powershell-provisioner-with-the-ssh-communicator) for
details.

`@include 'path/separator-note.mdx'`

## Basic Example

The example below is fully functional.

<Tabs>
<Tab heading="HCL2">

```hcl
provisioner "powershell" {
  inline = ["dir c:/"]
}
```

</Tab>
<Tab heading="JSON">

```json
{
  "type": "powershell",
  "inline": ["dir c:/"]
}
```

</Tab>
</Tabs>

## Configuration Reference

@include 'provisioners/shell-config.mdx'

- `debug_mode` - If set, sets PowerShell's [PSDebug mode](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/set-psdebug?view=powershell-7)
  in order to make script debugging easier. For instance, setting the value to 1
  results in adding this to the execute command:

  ```powershell
  Set-PSDebug -Trace 1
  ```

- `elevated_execute_command` (string) - The command to use to execute the
  elevated script. By default this is as follows:

  ```powershell
  powershell -executionpolicy bypass "& { if (Test-Path variable:global:ProgressPreference){$ProgressPreference='SilentlyContinue'};. {{.Vars}}; &'{{.Path}}'; exit $LastExitCode }"
  ```

  This is a [template engine](/packer/docs/templates/legacy_json_templates/engine).
  Therefore, you may use user variables and template functions in this field. In
  addition, you may use two extra variables:

  - `Path`: The path to the script to run
  - `Vars`: The location of a temp file containing the list of
    `environment_vars`, if configured.

- `env` (map of strings) - A map of key/value pairs to inject prior to the
  execute_command. Packer injects some environmental variables by default into
  the environment, as well, which are covered in the section below. Duplicate
  `env` settings override `environment_vars` settings. This is not a JSON
  template engine enabled function. HCL interpolation works as usual.

- `environment_vars` (array of strings) - An array of key/value pairs to
  inject prior to the execute_command. The format should be `key=value`.
  Packer injects some environmental variables by default into the
  environment, as well, which are covered in the section below.

- `use_pwsh` (boolean) - Run `pwsh.exe` instead of `powershell.exe`. Defaults to false.

  This is a [template engine](/packer/docs/templates/legacy_json_templates/engine). Therefore, you
  may use user variables and template functions in this field. If you are
  running on AWS, Azure, Google Compute, or OpenStack and would like to access
  the autogenerated password that Packer uses to connect to the instance via
  WinRM, you can use the `build` template engine to inject it using
  `` {{ build `Password` }} ``. In HCL templates, you can do the same thing by
  accessing the `build` variables For example:

<Tabs>
<Tab heading="HCL2">

```hcl
provisioner "powershell" {
  environment_vars = ["WINRMPASS=${build.Password}"]
  inline = ["Write-Host \"Automatically generated aws password is: $Env:WINRMPASS\""]
}
```

</Tab>
<Tab heading="JSON">

```json
{
  "type": "powershell",
  "environment_vars": ["WINRMPASS={{ build `Password` }}"],
  "inline": ["Write-Host \"Automatically generated aws password is: $Env:WINRMPASS\""]
},
```

</Tab>
</Tabs>

- `execute_command` (string) - The command to use to execute the script. By
  default this is as follows:

  ```powershell
  powershell -executionpolicy bypass "& { if (Test-Path variable:global:ProgressPreference){$ProgressPreference='SilentlyContinue'};. {{.Vars}}; &'{{.Path}}'; exit $LastExitCode }"
  ```

  This is a [template engine](/packer/docs/templates/legacy_json_templates/engine).
  Therefore, you may use user variables and template functions in this field. In
  addition, you may use two extra variables:

  - `Path`: The path to the script to run
  - `Vars`: The location of a temp file containing the list of
    `environment_vars`, if configured.
    The value of both `Path` and `Vars` can be manually configured by setting
    the values for `remote_path` and `remote_env_var_path` respectively.

  If you use the SSH communicator and have changed your default shell, you
  may need to modify your `execute_command` to make sure that the command is
  valid and properly escaped; the default assumes that you have not changed
  the default shell away from cmd.

- `elevated_user` and `elevated_password` (string) - If specified, the
  PowerShell script will be run with elevated privileges using the given
  Windows user.

  This is a [template engine](/packer/docs/templates/legacy_json_templates/engine). Therefore, you
  may use user variables and template functions in this field. If you are
  running on AWS, Azure, Google Compute, or OpenStack and would like to access
  the autogenerated password that Packer uses to connect to the instance via
  WinRM, you can use the `build` template engine to inject it using
  `` {{ build `Password` }} ``. In HCL templates, you can do the same thing by
  accessing the `build` variables For example:

<Tabs>
<Tab heading="HCL2">

```hcl
provisioner "powershell" {
    elevated_user = "Administrator"
    elevated_password = build.Password
}
```

</Tab>
<Tab heading="JSON">

```json
{
  "type": "powershell",
  "elevated_user": "Administrator",
  "elevated_password": "{{ build `Password` }}",
  ...
},
```

</Tab>
</Tabs>

If you specify an empty `elevated_password` value then the PowerShell
script is run as a service account. For example:

<Tabs>
<Tab heading="HCL2">

```hcl
provisioner "powershell" {
  elevated_user = "SYSTEM"
  elevated_password = ""
}
```

</Tab>
<Tab heading="JSON">

```json
{
  "type": "powershell",
  "elevated_user": "SYSTEM",
  "elevated_password": "",
  ...
},
```

</Tab>
</Tabs>

- `execution_policy` - To run ps scripts on Windows, Packer defaults this to
  "bypass" and wraps the command to run. Setting this to "none" will prevent
  wrapping, allowing to see exit codes on Docker for Windows. Possible values
  are `bypass`, `allsigned`, `default`, `remotesigned`, `restricted`,
  `undefined`, `unrestricted`, and `none`.

- `remote_path` (string) - The path where the PowerShell script will be
  uploaded to within the target build machine. This defaults to
  `C:/Windows/Temp/script-UUID.ps1` where UUID is replaced with a dynamically
  generated string that uniquely identifies the script.

  This setting allows users to override the default upload location. The
  value must be a writable location and any parent directories must already
  exist.

- `remote_env_var_path` (string) - Environment variables required within the
  remote environment are uploaded within a PowerShell script and then enabled
  by 'dot sourcing' the script immediately prior to execution of the main
  command or script.

  The path the environment variables script will be uploaded to defaults to
  `C:/Windows/Temp/packer-ps-env-vars-UUID.ps1` where UUID is replaced with a
  dynamically generated string that uniquely identifies the script.

  This setting allows users to override the location the environment variable
  script is uploaded to. The value must be a writable location and any parent
  directories must already exist.

- `skip_clean` (bool) - Whether to clean scripts up after executing the provisioner.
  Defaults to false. When true any script created by a non-elevated Powershell
  provisioner will be removed from the remote machine. Elevated scripts,
  along with the scheduled tasks, will always be removed regardless of the
  value set for `skip_clean`.

- `start_retry_timeout` (string) - The amount of time to attempt to _start_
  the remote process. By default this is `5m` or 5 minutes. This setting
  exists in order to deal with times when SSH may restart, such as a system
  reboot. Set this to a higher value if reboots take a longer amount of time.

- `pause_after` (string) - Wait the amount of time after provisioning a PowerShell
  script, this pause be taken if all previous steps were successful.

@include 'provisioners/common-config.mdx'

## Default Environmental Variables

In addition to being able to specify custom environmental variables using the
`environment_vars` configuration, the provisioner automatically defines certain
commonly useful environmental variables:

- `PACKER_BUILD_NAME` is set to the [name of the
  build](/packer/docs/templates/legacy_json_templates/builders#named-builds) that Packer is running.
  This is most useful when Packer is making multiple builds and you want to
  distinguish them slightly from a common provisioning script.

- `PACKER_BUILDER_TYPE` is the type of the builder that was used to create
  the machine that the script is running on. This is useful if you want to
  run only certain parts of the script on systems built with certain
  builders.

- `PACKER_HTTP_ADDR` If using a builder that provides an HTTP server for file
  transfer (such as `hyperv`, `parallels`, `qemu`, `virtualbox`, and `vmware`), this
  will be set to the address. You can use this address in your provisioner to
  download large files over HTTP. This may be useful if you're experiencing
  slower speeds using the default file provisioner. A file provisioner using
  the `winrm` communicator may experience these types of difficulties.

## Combining the PowerShell Provisioner with the SSH Communicator

The good news first. If you are using the [Microsoft port of
OpenSSH](https://github.com/PowerShell/Win32-OpenSSH/wiki) then the provisioner
should just work as expected - no extra configuration effort is required.

Now the caveats. If you are using an alternative configuration, and your SSH
connection lands you in a \*nix shell on the remote host, then you will most
likely need to manually set the `execute_command`; The default
`execute_command` used by Packer will not work for you. When configuring the
command you will need to ensure that any dollar signs or other characters that
may be incorrectly interpreted by the remote shell are escaped accordingly.

The following example shows how the standard `execute_command` can be
reconfigured to work on a remote system with
[Cygwin/OpenSSH](https://cygwin.com/) installed. The `execute_command` has each
dollar sign backslash escaped so that it is not interpreted by the remote Bash
shell - Bash being the default shell for Cygwin environments.

<Tabs>
<Tab heading="HCL2">

```hcl
provisioner "powershell" {
    execute_command = "powershell -executionpolicy bypass \"& { if (Test-Path variable:global:ProgressPreference){\\$ProgressPreference='SilentlyContinue'};. {{.Vars}}; &'{{.Path}}'; exit \\$LastExitCode }\""
    inline          = [ "Write-Host \"Hello from PowerShell\""]
}
```

</Tab>
<Tab heading="JSON">

```json
"provisioners": [
  {
    "type": "powershell",
    "execute_command": "powershell -executionpolicy bypass \"& { if (Test-Path variable:global:ProgressPreference){\\$ProgressPreference='SilentlyContinue'};. {{.Vars}}; &'{{.Path}}'; exit \\$LastExitCode }\"",
    "inline": ["Write-Host \"Hello from PowerShell\""]
  }
]
```

</Tab>
</Tabs>

## Packer's Handling of Characters Special to PowerShell

The escape character in PowerShell is the `backtick`, also sometimes referred
to as the `grave accent`. When, and when not, to escape characters special to
PowerShell is probably best demonstrated with a series of examples.

### When To Escape...

Users need to deal with escaping characters special to PowerShell when they
appear _directly_ in commands used in the `inline` PowerShell provisioner and
when they appear _directly_ in the users own scripts. Note that where double
quotes appear within double quotes, the addition of a backslash escape is
required for the JSON template to be parsed correctly.

<Tabs>
<Tab heading="HCL2">

```hcl
provisioner "powershell" {
    inline = [
        "Write-Host \"A literal dollar `$ must be escaped\"",
        "Write-Host \"A literal backtick `` must be escaped\"",
        "Write-Host \"Here `\"double quotes`\" must be escaped\"",
        "Write-Host \"Here `'single quotes`' don`'t really need to be\"",
        "Write-Host \"escaped... but it doesn`'t hurt to do so.\"",
    ]
}
```

</Tab>
<Tab heading="JSON">

```json
  "provisioners": [
    {
      "type": "powershell",
      "inline": [
          "Write-Host \"A literal dollar `$ must be escaped\"",
          "Write-Host \"A literal backtick `` must be escaped\"",
          "Write-Host \"Here `\"double quotes`\" must be escaped\"",
          "Write-Host \"Here `'single quotes`' don`'t really need to be\"",
          "Write-Host \"escaped... but it doesn`'t hurt to do so.\""
      ]
    }
  ]
```

</Tab>
</Tabs>

The above snippet should result in the following output on the Packer console:

```shell-session
==> amazon-ebs: Provisioning with Powershell...
==> amazon-ebs: Provisioning with PowerShell script: /var/folders/15/d0f7gdg13rnd1cxp7tgmr55c0000gn/T/packer-powershell-provisioner508190439
    amazon-ebs: A literal dollar $ must be escaped
    amazon-ebs: A literal backtick ` must be escaped
    amazon-ebs: Here "double quotes" must be escaped
    amazon-ebs: Here 'single quotes' don't really need to be
    amazon-ebs: escaped... but it doesn't hurt to do so.
```

### When Not To Escape...

Special characters appearing in user environment variable values and in the
`elevated_user` and `elevated_password` fields will be automatically dealt with
for the user. There is no need to use escapes in these instances.

<Tabs>
<Tab heading="HCL2">

```hcl
variable "psvar" {
  type    = string
  default = "My$tring"
}

build {
  sources = ["source.amazon-ebs.example"]

  provisioner "powershell" {
      elevated_user     = "Administrator"
      elevated_password = "Super$3cr3t!"
      inline            = ["Write-Output \"The dollar in the elevated_password is interpreted correctly\""]
  }
  provisioner "powershell" {
    environment_vars = [
        "VAR1=A$Dollar",
        "VAR2=A`Backtick",
        "VAR3=A'SingleQuote",
        "VAR4=A\"DoubleQuote",
        "VAR5=${var.psvar}",
    ]
    inline = [
      "Write-Output \"In the following examples the special character is interpreted correctly:\"",
      "Write-Output \"The dollar in VAR1:                            $Env:VAR1\"",
      "Write-Output \"The backtick in VAR2:                          $Env:VAR2\"",
      "Write-Output \"The single quote in VAR3:                      $Env:VAR3\"",
      "Write-Output \"The double quote in VAR4:                      $Env:VAR4\"",
      "Write-Output \"The dollar in VAR5 (expanded from a user var): $Env:VAR5\"",
    ]
  }
}
```

</Tab>
<Tab heading="JSON">

```json
{
  "variables": {
    "psvar": "My$tring"
  },
  ...
  "provisioners": [
    {
      "type": "powershell",
      "elevated_user": "Administrator",
      "elevated_password": "Super$3cr3t!",
      "inline": "Write-Output \"The dollar in the elevated_password is interpreted correctly\""
    },
    {
      "type": "powershell",
      "environment_vars": [
        "VAR1=A$Dollar",
        "VAR2=A`Backtick",
        "VAR3=A'SingleQuote",
        "VAR4=A\"DoubleQuote",
        "VAR5={{user `psvar`}}"
      ],
      "inline": [
        "Write-Output \"In the following examples the special character is interpreted correctly:\"",
        "Write-Output \"The dollar in VAR1:                            $Env:VAR1\"",
        "Write-Output \"The backtick in VAR2:                          $Env:VAR2\"",
        "Write-Output \"The single quote in VAR3:                      $Env:VAR3\"",
        "Write-Output \"The double quote in VAR4:                      $Env:VAR4\"",
        "Write-Output \"The dollar in VAR5 (expanded from a user var): $Env:VAR5\""
      ]
    }
  ]
  ...
}
```

</Tab>
</Tabs>

The above snippet should result in the following output on the Packer console:

```shell-session
==> amazon-ebs: Provisioning with Powershell...
==> amazon-ebs: Provisioning with PowerShell script: /var/folders/15/d0f7gdg13rnd1cxp7tgmr55c0000gn/T/packer-powershell-provisioner961728919
    amazon-ebs: The dollar in the elevated_password is interpreted correctly
==> amazon-ebs: Provisioning with Powershell...
==> amazon-ebs: Provisioning with PowerShell script: /var/folders/15/d0f7gdg13rnd1cxp7tgmr55c0000gn/T/packer-powershell-provisioner142826554
    amazon-ebs: In the following examples the special character is interpreted correctly:
    amazon-ebs: The dollar in VAR1:                            A$Dollar
    amazon-ebs: The backtick in VAR2:                          A`Backtick
    amazon-ebs: The single quote in VAR3:                      A'SingleQuote
    amazon-ebs: The double quote in VAR4:                      A"DoubleQuote
    amazon-ebs: The dollar in VAR5 (expanded from a user var): My$tring
```
